I have recently installed a Fedora 33 system on a private network and it needs to contact three specific DNS servers for internal-only DNS resolution. The DNS server addresses are configured, but the DNS servers don’t appear to support more than unicast UDP and DNS lookups have been spotty with long delays logging in via ssh.
I have been able to find the global default to disable LLMNR (LLMNR=false in /etc/systemd/resolved.conf), but the link-level setting is still present for ens192 -
[root@fedora33lab ~]# resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (ens192)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 10.x.x.x
DNS Servers: 10.x.x.x 10.x.x.x 10.x.x.x
DNS Domain: example.com ~.
I have added llmnr=no to /etc/NetworkManager/system-connections/ens192.nmconnection file and rebooted but this does not seem to have affected the resovlectl status info -
The goal would to define a standard template for environment-wide use where LLMNR would always be disabled for all interfaces on system-wide basis using a method that would be most likely to persist between Fedora version upgrades.
Thank you, that has worked to change the setting for ens192 - DNS resolution is now instantaneous!
The nmcli command has changed the setting from llmnr=no to llmnr=0 in the ens192.nmconnection file - looks like I misread nm-settings-nmcli(8), and the Protocols line now reads as follows:
Would there be a general way of setting this in one location instead of on a per-connection basis? The use case is server VMs that would be deployed using templates, so minimizing post-build configuration work and system-specific steps is ideal.
In my research, I was directed to an article that identifies LLMNR as a serious risk vector as well as being outmoded, so it looks as though it could be a better default to have it turned off -
Not sure if that would be worthy of a feature request, but using enterprise Linux, this is the kind of thing I would be directed to shut off for security reasons